You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

BC AdBot (Login to Remove)

Hi asaha and welcome to Bleeping Computer.I will be handling your log and helping you to get cleaned up.

Please take note of the following:

1. Please do not make any system changes yet. as any changes you make may well alter your log.2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.4. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

One of the infections you have is really nasty:ntos.exe is a 'backdoor/keylooger'.

Can communicate with other computer systems using HTTP protocols Makes outbound connections to other computers using NETBIOSOUT protocols

In other words, It may well have stolen your passwords.... We have no way of telling.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

For more information read ....HereIf you choose to format and reinstall read...... Here

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

If for any reason you decide to carry on with trying to fix these infections, i will add the 1st part of the fix to save you time.But like i say, it's entirely up to you if you want to continue.

Step 1Download SDFix and save it to your desktop.Double click SDFix.exe and it will extract the files to %systemdrive%(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot your computer inSAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.The fix will begin; follow the prompts.If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it..... allow it instead.Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

In your next reply, please submit: (ONLY IF YOU WANT TO CARRY ON WITH THIS FIX)Report.txt from SDFixReport.txt from FixWareout.and a new Hjt log.

Thank you for helping me out on getting this fixed and my apologies for the delayed response. Following are the logs--------------------------------------------------------------------------------------------------------------SDFix---------------------------------------------------------------------------------------------------------------

* Launch AVG Anti-Spyware. * From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. * Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".

Step 2You have a bad program on your system.Click on start... settings... control panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist: ( it may not be there, if not... don't worry )

This line:O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentCorresponds to Administrative lock down for changing the options or homepage in Internet explorer. If you did not knowingly set this, you can remove the line as well.

Then close all other windows, browers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Reboot your computer to complete the process.

Step 4Please download ComboFix

**Note: It is important that it is saved directly to your desktop**

There are full instructions on how to download and run ComboFix here:How to use ComboFixPlease follow all the instructions to the letter...(this is very important)

Note: Do not mouseclick combofix's window while its running. This may cause it to stall

When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply.

Hi asahaIt appears that the combofix.txt was cut off.I need to see the 'Reg Loading Points' etc, can you please post the combofix.txt again so that i have the complete report.You should be able to find the report at:C:\ComboFix.txt

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:Select My Computer

This program will now start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

Step 4I'd like to see an uninstall list.Open HijackThis... click on Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save..... copy and paste the results in your next post.More information with a screenshot, can be found here.